@nixarn My recommendations on how best to handle the session lifecycle is these simple rules:
- I would set the session token lifetime to be 7 days or similar. This is a practical balance between authentication, authorization, and convenience for the end user. (See the
session.token_expiry_secoption in the server.) - I would incorporate social sign-in into the game as early as possible. With mobile this could be Apple Game Center, Google Play Games, Apple Sign-In, Facebook, Facebook Limited Login, etc. This eliminates most of the hassle with re-authentication by the user because all of those social providers have a silent sign-in option once the first authentication has been done.
- Make a check at game start whether the session token is within 24 hours of its expiration and re-authenticate the user. This way you can extend the lifetime of the session without an interruption to the user’s play experience that day.
- You can also use device ID authentication by default to avoid the need for social sign-in with the initial play experience.
Also, keep an eye on the latest work in the Nakama Unity client where we’re about to open a pull request for review that uses the refresh tokens work added in Nakama 3.0 server. This will let you refresh a session on demand as well as enable auto-refresh a session.
This will not totally eliminate the need to re-authenticate the user because refresh tokens have their own lifetime and can expire (though this can also be configured). (See the session.refresh_token_expiry_sec option in the server.)